Monitoring network for containers

Hi,

one of my servers with multiple containers has been hacked, and suspicious traffic has been detected by the server provider (bare metal server at OVH).
I’m rather confident that the host is clean, but I’m not sure which container is faulty.

My containers have network access via an incus bridge.

How can I monitor network traffic by originating container ?
Also, what is the way to isolate a specific container, ie to suppress network access on a container ?

Thansk
Franck

Each container has a veth device. You can tcpdump on that veth from the host.

You can remove networking altogether from a container. You create a copy of the default Incus profile, and in that copy you remove the eth0 device, the rest remains the same. Finally you attach that new profile to the container, replacing the default profile.

1 Like

I created a nonet profile, removing only the eth0 device.
I added it to my container.

But when I start it and log into it, I still can ping 1.1.1.1.

I was expecting no network at all… What am I missing ?

What I was missing is removing default profile from the container… sorry !

1 Like